Server Installation: No information is Central regarding date and time of install?

Hi Michael McGee 

Unfortunately, Sophos central purges logs which are older than 90 days as it is based on cloud storage and because of this it is never possible to show the install date and time logs.

You'll be able to find the installation logs on the particular endpoint which will have a date and time.

All of the 60 installations were completed over the last two weeks, so retention is not an issue.
Central doesn't store and expose this information to me? Seems like even the most basic of management consoles would have this type of information available in a report..

Sorry if this seems like a dumb question but Sophos Central isn't an Alpha product so If I have to go to each endpoint to get the information, what's the point of even having a "Central"ized management console?

Michael

All of the 60 installations were completed over the last two weeks, so retention is not an issue.
Central doesn't store and expose this information to me? Seems like even the most basic of management consoles would have this type of information available in a report..

Sorry if this seems like a dumb question but Sophos Central isn't an Alpha product so If I have to go to each endpoint to get the information, what's the point of even having a "Central"ized management console?

Michael

Hi Michael McGee 

I agree that you have completed installation over the last week, so central should have all the information but what about after 6 months, the installation date and time log might be purged and Central may get fail to show the date and time.

Unfortunately, because of that reason, it might not be available at the moment. You can submit a feature request here or you can vote if it already exists.

The time/date of the installation can be found in Central, located in the Events tab when viewing the server properties.  Since alll of your devices were installed within the last 2 weeks you'll easily be able to identify the install date. The oldest entry in the Events will show the date and time that the device registered with Central.  The event data is only kept in Central for 90 days as previously noted, so if you needed this information beyond that period, you would need to check the date on the installation log file under C:\Programdata\Sophos\CloudInstaller\Logs to determine the date of install.

Thanks Joe,

Do you know if there's any way to expose this information in a report? Otherwise, the Central console is a click-fest to try and get this information if I have 20 new installs out of 100 servers as I will have to click-through the event logs for all 100 to find the 20 that were installed recently.

I inherited our Central Endpoint installation and the more that I dig in, the more that I realize that this isn't a tool for any enterprise if all of this basic information can't be exposed via simple reporting and everything is considered transient so there's only recently a way to catalog historical data if I build an API and migrate this transient data to an external SIEM.

Michael

Just a thought-

As far as I know there is not a way to show this info in reports easily, I know this is a Sophos question so you are looking for a Sophos answer.  But it can be difficult, even if you were trying to find this in Windows and ran something like-

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -AutoSize > C:\installed.txt 

You will get a list of all apps installed, with their install date.  Most are accurate, however Sophos's install date will change when updates/features are updated within your Sophos install itself even within Windows because the application is re-installed when these major changes take place.  Please know, I am not 100% on what is all changed on the re-install, but I am aware from monitoring Sophos Central on multiple end points over the years that it is enough for Windows to either consider it freshly installed and or Sophos to push the install date to change in their code. 

Yes, you can retrieve the events under Logs and Reports.  Select Events.  Then at the top in "Choose period" select the time period you want to report on.  Then clear the tick mark labeled "Type" to de-select all the events.  Scroll down to "Protection Issues", expand that.  Then select "New computer or server registered".  Then click on the blue Update button.  You can also save this as a custom report and if desired set a schedule to run it weekly and have it email the report.

Hi Michael McGee 

As Joe has mentioned, above is the one option and also one another option in the same "Protection issues" type,  "New computer or server protected" under the option File Integrity Monitoring - Resumed which will also provide you with the same information but this will be restricted to 90 days data. Any computer registered or protected before 90 days will not be shown there.

Thank you GIJoe for your help on this.

Exactly what I was looking for Joe!
I never would have found it in the noise of (or even though to look into the section entitled) "Protection Issues" for new installations.

Thank you
Michael